In the Drawings : 

Enclosed is a replacement sheet for Fig. 1, Subject to the approval of the Examiner, it is 
respectfully requested that the new drawing sheet be substituted for the originally filed drawing sheet 
for Fig. 1. 

An extra copy of the original drawing sheet with changes indicated in red, Is also attached. 
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Remarks 

The above Amendments and these Remarks are in reply to the Office Action mailed April 1 9, 

2006, 

Claims 1-41 were pending in the Application prior to the outstanding Office Action. In the 
Office Action, the Examiner rejected claims 1-41, The present Reply amends claims 1-5, 7, 9-1 1 , 
14, 16, 18-21, 24, 2B-29, 31, 33, 35-36, and 41, leaving for the Examiner's present consideration 
claims 1-41. Reconsideration of ttie rejections is requested. 

I. Summary of Examiner's Objections 

The drawings were objected to due to the omission of the legend Prior Art in Figure 1. 
The specification was objected to due to the use of trademarks presented without 
capitalization. 

Claims 16, 33 and 36 were objected to due to certain informalities. 

II. Summary of Examiner's Rejections 

Claims 1-41 were rejected under 35 U.S.C, §112, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which Applicant reganJs as the 
Invention. 

Claims 1-17 and 40-41 were rejected under 35 U.S.C §101 as being directed to non- 
statutory subject matter. 

Claims 1-2, 5-19, and 22-41 were rejected under 35 USC 103(a} as being unpatentable over 
Wiederhold (U.S. 6,226,745) in viewof Devine et al. (U.S. 6,606,708) and further in viewof Blewett 
(U.S. 5,551,040). 

Claims 3-4 and 20-21 were rejected under 35 USC 103(a) as being unpatentable over 
Wiederhold in view of Devine et al. and Blewett and further in view ofjavaworid.com. 
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III. Summaivof Applicanfs Response 

Applicant amended the drawings, specification, and claims to overcome the office action's 
Objections, 35 U.S.C. §112 rejections, and 35 U.S.C. §101 rejections. 

With regards to the 35 U.S.C. § 103 (a) rejection, Claim 1 is patentable over Wiedertiold in 
view of Devine and further in view of Blewett. The applicanfs specification describes two 
innovations that are not found in the prior art. The first innovation is the idea of a pluggable security 
framework, where different security providers may be plugged into a security service to make 
contributory decisions regarding whether or not to pemiit access to a protected resource. The 
second innovation Is to use Context Information from the Application Container through callbacks to 
be able to dynamically assign a role to a user at run-time, Instead of relying upon static pre-defined 
roles for security permissions. For similar reasons, claims 2-41 are also patentable. 

IV. Response to Rejections 

1. Objections 

Applicanfs drawings, specification, and claims 16, 33, and 36 were amended to overcome 
the office action's objections. Accordingly, it is respectfully requested that these objections be 
withdrawn. 

2. Claim Rejections under 35 U.S.C. § 1 12 

Claims 1-5, 7, 9-11, 14, 18-21, 24, 26-29, 31, 35, and 36 were amended to overcome the 
office action's twenty-two 35 U-S.C. § 112 rejections to claims 1-41. Accordingly, it is respectfully 
requested that these rejections be withdrawn. 

3. Claim Rejections under 35 U.S.C. § 101 

Claim 1 was amended to overcome the office action's rejections to claims 1-17, 40-41, 
Accordingly, it is respectfully requested that these rejections be withdrawn, 
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4. 



Claim Rejections under 35 U.S.C. § 103 (a) 



Claim 1 is patentable over Wiederhold in view of Devine and further in view of Blewett: 

Claim 1 has been amended by the cun-ent response to more clearly define the embodiment 

of the invention therein. As amended, claim 1 defines: 

1 . (Currently Amended): A security system for allowing a client to access a 
protected resource through an application container, the security system comprising: 

an application interface mechanism for receiving an access request from a 
client to access said protected resource, and communicating the access request to 
the application container, and the application container calls the security service with 
the access request and a callback handler; 

said security service for making a decision to permit or deny the access 
request, wherein the security service includes a plurality of security providers that 
may be plugged into the security service, and wherein the plurality of security 
providers use the callback handler to request context infonmation from the 
application containerfor the access request, and wherein depending on output Irom 
each security provider the security service determines entitlements for the client to 
use with the protected resource: 

said security service is located at a first computer, and said protected 
resource is located either at the same first computer or at a second computer; and 

a resource interface for communicating pennitted access requests to said 
protected resource. 



The two primary advantages of the system defined by Claim 1 are the pluggable architecture 
to allow business logic and security plug-ins Into the security service and the ability to assign 
security roles to a user at run-time through the use of Context Information and callbacks. 
Traditional security mechanisms tend to be context-less since they are based solely on pre-existing 
permissions granted to a principal for a given resource; ttierefore. the only types of authorization 
decisions that can be made are whether the principal has the necessary permissions to access the 
resource. In accordance with Clarm 1 , a pluggable architecture allows security and business logic 
plugins to be inserted into a security service, and to control access to protected resources. A 
request context may include the identity of the target object, the value of the parameter of the 
request, and potentially environmental information such as the networi< or IP address of the initiating 
client The providing of context information without prior knowledge is accomplished by using 
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callbacks to the containers from the authorization provider. Dynamic Role Association, as described 
in Applicant's specification, uses Context Information and callbacks as described above to go 
beyond static pre-defined roles and assign security roles to a user at run-time (See Applicant's 
specification, paragraphs 0043-0055). 

Wiederhold discloses a security mediator system for use with a Relational Database System. 
The security mediator uses a keyword list and a rules engine to approve or deny queries and result 
sets. Wiederhold also includes a human being, the Security Officer, for additional security functlons- 

The applicant's invention was meant to solve a different business problem than the problem 
that faced Wiederhold. Wiedertiold's security system depends upon pre-defined security roles 
whereas the applicant's invention allows you assign roles dynamically to users at run-time by making 
callbacks to the application container for context information to dynamically set the user (or client) 
role at runtime. Wiederhold's security mediator allows a human being (the security officer) to write 
additional security rules, but there is no provision for plugging in additional security providers into the 
Security Service. Wiederhold's application was meant to modify a Relational Database 
Management System, whereas the Applicant's invention involves a J2EE Application Container. 

Neither does Devine teach callback handlers or context infomriation or using callbacks to 
request context information. Instead. Devine teaches that when a user logs into a specific 
application with a ID and password, an application server retrieves user entitlements for that 
application, (col. 27, lines 15-18). Devine teaches that the user logs into the specific application on 
a Web Page (col. 27, line 34) using a GUI interface. (Fig. 6). As defined in Devine, entitlements 
represent specific services to which the user has subscribed and has privilege to access, i.e. 
standard pre-defined role-based permissions (Col, 16, lines 46-47). There is no use of context 
information or callback handlers related to the user's request to access the specific application fn 
order to dynamically define the user's role at oin-time. Further, the servers described in Devine are 
not application containers. Finally, the GUI interface into which the user logs on to the application, 
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does not read on the use of callbacks and call bacK handlers because the GUI interface only 
handles the means by which the user makes a request to access an application. Thus, Devine does 
not teach callbacks, callback handlers, use of context informatfon or application containers, as 
required by Claim 1- 

Blewett teaches call backs for event handling for Graphic User Interfaces (GUI). Blewett 
does not teach callbacks for communication between a Service and an Application Container. 
Blewett's use of callbacks is far different from the applicant's invention ^Art^erein the plurality of 
security providers use the callback handler to request context information from the application 
container for the access request," (Claim 1. as amended). 

Neither Wiederhold nor Devine nor Blewett teach the use of Application Containers or 
Context Infomnation, Paragraph 0034 of the Applicant's specification , states "the terms used in this 
document are consistent with terminology as defined in standard texts on Java, Enterprise 
JavaBeans, WebLogic Server, and other generally accepted security concepts." The J2EE 
specification states that Application "Containers provide the runtime support for J2EE application 
components. Containers provide a federated view of the underlying J2EE APIs to the application 
components. J2EE application components never interact directly with other J2EE application 
components. They use the protocols and methods of the container for interacting with each other 
and with platform services." (Page 8 of the J2EE specification, http://iava.sun.com/j2ee/i2ee-1_4-fr- 
spec.pdf). Context information is another term well-known in the art. Specific types of context 
infonmation include the ServletContext that describes a set of methods that a senrfet uses to 
communicate with its application container (http://fava.sun.eom/i2ee/1 .4/docs/api/iavax/servIet/ 
SeivletContext.htmn and the EJBContext that provides an EJB instance with access to the 
container-provided runtime context of an enterprise Bean f http://lava.sun. com/ 
i2ee/1 .4/docs/api/iavax/eib/EJBContext.htmn . The above definitions establish a major difference 
between the Applicant's invention and Wiederhold in view of Devine and further in view of Blewett. 
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For the above reasons. Applicant respectfully submits that the embodiment as defined in 
Claim 1 is neither anticipated by nor obvious in view of Wiederhold and Devine and Blewett, taken 
alone or in combination. Even lfjavaworld.com was added as a reference, the resulting combination 
would be distinguishable from claim 1 and the Applicant's invention as described in the specification. 
Furthermore, the combination of Wiederhold and Devine and Blewett is not obvious. We 
respectfully request that the rejection to claim one be withdrawn. 

Dependent claims 2-17, 40-41 depend from claim 1. For at least the reasons discussed 
atx)ve with regards to claim 1 , claims 2, 5-17, 40-41 are also patentable over Wiederhold in view of 
Devine et al. and further in view of Blewett. For the reasons discussed above, dependent claims 3-4 
are patentable over Wiederhold in view of Devine et aL and Blewett and further in view of 
javaworld.com. 

It is also submitted that claims 2-17, 40-41 also add their own limitations which render them 
patentable in their own right Applicant reserves the right to argue these limitations should it 
become necessary in the future. 

Independent claim 18 and its dependent claims 19^4 are believed to be patentable for 
reasons similar to those discussed above with regards to claims 1-17, 40-41 . 

Independent claim 35 and its dependent claims 36-39 are believed to be patentable for 
reasons similar to those discussed above with regards to claims 1-17, 40-41. 

In light of the above, it is respectfully submitted that all of the claims now pending in the 
subject patent application should be allowable, and a Notice of Allowance is requested. I will call the 
examiner in two weeks to request an interview for the purposes of discussing claim 1 and the 
applicability of Wiederhold in view of Devine and further In view of Blewett The Examiner Is 
respectfully requested to telephone the undersigned before an advisory action is issued in order to 
avoid any unnecessary filing of an appeal. 
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Endosed is a PETITION FOR EXTENSION OF TIME UNDER 37 C.F.R. § 1.136 for 
extending the time to respond up to and Including today, August 23, 2006. 

The Commissioner Is authorized to charge any underpayment or credit any overpayment to 
Deposit Account No. 06-1325 for any matter in connection with this response, including any fee for 
extension of time, which may k>e required. 



FLIESLER MEYER LLP 
Four Embarcadero Center, Fourth Floor 
San Francisco, California 94111-4156 
Telephone: (415) 362-3800 
Customer No. 23910 



Respectfully submitted, 





Thomas K. Plunkett 
Reg. No. 57,253 
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